Law firms deal with some of the most confidential and sensitive data in society and yet so many of them have such lax policies on information security. There are some simple things you can do to dramatically improve your information security and they don’t require you to purchase expensive gear.
Keep Your Passwords Your Own
I can’t tell you how many times I’ve been at a firm and heard an attorney come out of their office and say “Patty, I’m going to Phoenix for a couple of days to meet with Acme Co. Check my e-mail while I’m away; my password is….” I just want to grab that attorney and shake them!
NEVER share your password. Never. This is 2011. You can check your own e-mail from the road if you need to. Practically every gadget in your pocket can check your e-mail these days. Heck you can check your e-mail on a PlayStation if you have to.
But perhaps you don’t want to do that. Maybe it’s a real vacation and not a client trip. There are ways to have your assistant check your e-mail WITHOUT having to totally compromise your network identity. You can share your Inbox with them; you can have copies of your mail forwarded to them; you can create a separate special folder they can access with client messages. There are a lot of ways to do it.
When you give your assistant your username and password your assistant can log into the system AS YOU. Not only can they check your e-mail they can access EVERYTHING you can access. Everything. Time and billing? Yes. Payroll? If you can, they can. Do you save your banking and other website passwords in your browser? If your assistant can log into your computer as you, they can access all of that.
Your assistant can send e-mails AS you.
The other problem with having your assistant log into your mailbox and check your e-mail is that they can access more than just the new e-mail you receive. They can access e-mails you’ve saved from before; including that message from the Compensation Committee on staff raises for 2011. And that nostalgic e-mail from your high school girlfriend about that time….well, you remember. And now your assistant does too.
Scared yet? It gets worse. When was the last time you changed your password? How many assistants have you gone through in that time? For one of my clients the answer to that question was “7 years” and “Five. No, six!” So there are how many people walking around out there, who no longer work for you, who know your username and password? Any of those people working for opposing counsel these days?
A password compromised must be changed. Right now.
Not Passwords, Pass Phrases
As long as you’re changing your password, let’s make it a good one. The important thing to remember with passwords is that LONG is better than complex. r6IKjX is a terrible password. Yes, it’s very random. It’s also only 6 characters long and a brute force attack (that’s when the attacker just tries every combination of characters) will break it in a matter of minutes or hours at the most. Plus it’s really hard to remember – so you’re more likely to write it on a Post-IT and stick it on your monitor. (or under your keyboard, where nobody ever looks)
The better plan is to select a phrase. Something that means something to you.
“My 2 dogs are cute!”
That’s 20 characters, mixed case, with numbers and symbols. It would take a generation for a computer to brute force that and it’s easy for you to remember.
Got a favorite song?
“Hey Jude, don’t make it bad”
28 characters, easy to remember, not that hard to type, really hard to break.
Long, personal, easy to remember, hard to guess. That’s the key.
And keep it to yourself. A password compromised MUST be changed. Now.
One Last Secret…
I’ll tell you something your IT guys might not want you to know…in most cases THEY don’t need to know your passphrase either. In a Windows domain, which if you have a Windows server you undoubtedly have, the IT guys can change your password when they need to access your data without your assistance. Then, when they’re done, they can tell you what the temporary password they used was, you can log in and change your password back to your own, secret, pass phrase. That doesn’t work in EVERY case, but in most cases it does.
Keep your identity your own. Don’t share your passwords, select good long pass phrases and change them if they’re compromised.